Back to blog
FBI AI Fraud Statistics 2025: What the $893M Figure Counts

Written by
Brightside Team
Published on
In April 2026, the FBI published its 2025 Internet Crime Report, and for the first time in nearly 25 years of annual reporting it broke artificial intelligence out as a distinct category: $893,346,472 in adjusted losses across 22,364 complaints.
The figure has been circulating ever since, usually attached to a claim it does not support. It gets quoted as the cost of deepfake fraud, as the price of AI voice cloning, or as the total damage AI-enabled crime did to Americans last year. The report supports none of those readings.
What the FBI measured is narrower than any of them, and more useful once you understand it. If you are about to put this number in a board deck, a budget request, or a risk register, it is worth knowing what it counts, why the FBI itself treats it as a floor, and what it cannot tell you about your own organization.
Key Takeaways
The FBI logged $893,346,472 in losses across 22,364 complaints carrying its AI descriptor in 2025, the first year AI was broken out in the IC3 annual report.
The descriptor records whether a complaint referenced AI, so the figure tracks victim awareness of AI rather than actual AI involvement in fraud.
Reported AI losses concentrate heavily in investment fraud, at more than $632 million. Business email compromise accounts for just 135 complaints and roughly $30 million.
The FBI states directly that many victims do not realize AI was involved, which makes $893 million a defensible floor rather than an estimate of the true total.
2025 is a baseline year with no prior AI figure, so any year-over-year AI fraud growth rate sourced to IC3 data is invented.
What the FBI Actually Published in Its First AI Fraud Breakout
The Internet Crime Complaint Center, IC3, collects fraud and cybercrime complaints from the public. In 2025 it received 1,008,597 of them, the first time it passed a million in a single year, representing $20.877 billion in reported losses and averaging close to 3,000 complaints a day.
Within that dataset, IC3 applies what it calls descriptors. A descriptor is a tag layered on top of a complaint's crime type, used for tracking. Cryptocurrency is one. Crimes against children is another. In the 2025 report, AI joined them.
The report's appendix defines the tag in a single sentence: "AI Related: Information reported contains a reference to artificial intelligence (AI)."
That definition governs everything downstream. The tag attaches to complaints that mention AI. It does not require investigators to establish that AI was used, or forensic analysis to confirm synthetic media. In practice the trigger is the victim's own account of what happened to them.
So the $893 million measures recognition rather than incidence. It captures the fraud losses where somebody noticed, suspected, or thought to write down that artificial intelligence played a part, which makes it a useful number but not the one most people think they are quoting.
Where the $893 Million Sits: AI-Flagged Losses by Crime Type
The report breaks the AI descriptor down two ways: complaint counts by crime type, and loss figures for selected scam categories. The two breakdowns are published separately and do not cover the same set of categories, so the table below shows where each is available.
Crime type | AI-flagged complaints | AI-flagged losses |
|---|---|---|
Investment | 4,356 | Over $632 million |
Extortion | 1,764 | Not separately reported |
Personal data breach | 1,204 | Not separately reported |
Phishing/spoofing | 803 | Not separately reported |
Harassment/stalking | 763 | Not separately reported |
Employment | 691 | Almost $13 million |
Confidence/romance | 626 | Over $19 million |
Business email compromise | 135 | Over $30 million |
Real estate | 115 | Not separately reported |
Advanced fee | 105 | Not separately reported |
Two things stand out. Investment fraud alone accounts for roughly 71% of all AI-flagged losses, which makes the headline figure substantially a story about investment scams rather than about corporate impersonation. And the four categories with published loss figures total about $694 million, leaving roughly $199 million spread across categories the report does not itemize.
Within the confidence and romance category, IC3 separates out distress scams, where voice cloning is used to imitate a family member in an emergency. Victims reported over $5 million in losses to those in 2025. That is the closest the entire report comes to a directly attributable voice-cloning figure, and it is worth holding on to whenever you see the $893 million described as the cost of voice cloning.
Five Reasons the Figure Is a Floor
The FBI is not hiding any of this. The report is explicit about its own limits, and those limits are structural rather than sloppy.
The descriptor depends on the victim's narrative. A complaint gets tagged when the reported information references AI. But the better the synthetic media, the less likely the victim is to know it was synthetic. Someone who takes a call from a cloned voice and never learns the voice was cloned files an accurate complaint that never mentions AI. The measurement degrades precisely as the attack improves, which is an unusual and consequential property for a statistic to have.
Each complaint carries exactly one crime type. The report's appendix states it plainly. A deepfake video call that produced a fraudulent wire transfer lands in one category, not several. Categories therefore cannot be summed against each other or compared naively, and the same underlying technique surfaces under different labels depending on what the victim lost.
Descriptors are analyst-assigned and provisional. IC3 notes that descriptive data such as crime type and loss "is variable and can evolve based upon investigative or analytical proceedings," and that its statistics are "an assessment taken at a point in time, which may change." These are not frozen figures.
Complaints filed directly with FBI field offices are not counted. IC3 totals reflect what came through IC3. The report says so in the context of ransomware reporting, and the same collection boundary shapes the dataset as a whole.
Adjusted losses exclude second-order costs. Here the report is specific about ransomware: adjusted loss figures do not include lost business, time, wages, files, equipment, or third-party remediation. The same accounting logic runs through loss reporting generally, though the report spells the exclusion out for ransomware in particular. Either way, a reported loss is a direct loss.
Then there is the FBI's own concession. Discussing investment scams, IC3 notes that AI-nexus losses surpassed $632 million while overall investment scam losses exceeded $8 billion, "demonstrating that many victims do not realize the extent AI may be involved in scams." That is the agency saying, inside its own report, that the number understates the problem.
One honest caveat in the other direction: self-reporting is noisy both ways. After two years of heavy media coverage, some victims may attribute an ordinary scam to AI without evidence. The undercount almost certainly dominates, but the descriptor is imprecise rather than merely low.
Why Business Email Compromise Shows Only 135 AI Complaints
For a corporate security audience, the strangest line in the table is business email compromise: 135 AI-flagged complaints, a little over $30 million, against more than $3 billion in total BEC losses in 2025.
That gap is not evidence that AI has stayed away from enterprise fraud. Every credible threat report, and most security teams' own inboxes, say otherwise. It is evidence about reporting language. When a finance team loses money to a fraudulent payment instruction, they report a business email compromise, because that is the category, that is the loss, and that is the language their insurer, their bank, and their counsel use. Whether the pretext involved a generated email, a cloned voice on a confirmation call, or neither is a detail about technique, not about what was lost. Corporate victims describe the crime. Consumers, particularly in investment and romance scams, describe the experience, and the experience is where AI becomes visible.
The practical consequence: the AI descriptor is weakest exactly where enterprise security budgets get set. If you are using IC3's AI figures to size a corporate social engineering problem, you are reading the category that captures it least well.
Employment scams make a related point. IC3 flagged almost $13 million in AI-involved employment fraud and noted that dollar loss stays low because the objective is usually access to private networks rather than immediate theft. The figure is small because the payoff arrives later, somewhere else, and under a different crime type. Ranking threats by reported dollar loss will mislead you for exactly that reason.
How These Numbers Get Distorted After Publication
Watching what happened to the IC3 figures in the months after publication is a decent short course in statistical hygiene. Four patterns recur.
An all-fraud figure relabelled as AI fraud. INTERPOL's March 2026 Global Financial Fraud Threat Assessment put global financial fraud losses at roughly $442 billion. That figure covers every category of financial fraud worldwide. It appeared in coverage under headlines announcing what AI fraud cost the world, which converts a total into an attribution.
A category total relabelled as a technique total. The $893 million routinely appears as the cost of AI voice cloning. Voice cloning contributes to it, but the only line the report attributes directly to voice cloning is the $5 million in distress scams. Two orders of magnitude separate those numbers.
A research threshold presented as an attack norm. You will often read that three seconds of audio is enough to clone a voice. That traces to real work: Microsoft's VALL-E research demonstrated zero-shot voice synthesis from a reference sample of roughly three seconds. The finding is genuine, and it describes what is achievable under research conditions rather than how attacks typically get built. ElevenLabs, whose tooling is far more likely to appear in an actual fraud, recommends one to two minutes of clean audio for instant voice cloning and 30 minutes to three hours for its professional tier. Treating the three-second figure as a standard workflow overstates how frictionless cloning is in practice, which makes the defensive conversation less accurate without making it more urgent.
Percentages without denominators. Claims like a 1,210% surge in generative-AI-enabled fraud circulate without a stated base, a defined population, or a measurement method. Without a denominator, a percentage conveys motion and nothing else.
None of this requires bad faith from the outlets involved. Numbers degrade in transit, and compression is how it happens.
A Standard for Citing AI Fraud Statistics
If you present these figures to a board, an auditor, or a regulator, a few habits make the difference between a number that holds up and one that gets picked apart.
Name the source, the period covered, and the publication date as three separate facts. The IC3 report covers calendar year 2025 and was published in April 2026. Collapsing those into "the FBI's 2026 figures" is the most common error in this material.
The denominator belongs in the sentence. $893 million out of $20.877 billion in total reported losses is a fundamentally different claim from $893 million on its own.
Classify what you are quoting. A measurement counts something that happened, an estimate models it, and a forecast predicts it. Deloitte's projection of $40 billion in US AI-enabled fraud losses by 2027 is a forecast, and calling it anything else is a mistake you only get to make once in front of a skeptical CFO.
Growth claims need a prior-year figure, and this one does not have one. Because 2025 is IC3's first AI breakout, there is nothing earlier to compare against, so any year-over-year AI growth rate sourced to IC3 has been manufactured.
Prefer a floor you can defend to a total you cannot. "At least $893 million, and the FBI says the real figure is higher because victims often do not know AI was involved" will survive questioning that a bigger, softer number will not.
Finally, resist stacking figures from different methodologies into one total. IC3 counts complaints filed by US victims. Surfshark's deepfake fraud research builds from publicly reported incidents worldwide since 2019. The FTC counts consumer fraud reports. Adding them produces a number that describes nothing.
What External Data Cannot Tell You About Your Own Exposure
Every figure in this article describes a population. None of them describes your organization.
No national statistic can tell you whether your finance team would act on a cloned voice on a Tuesday afternoon, whether your help desk would reset credentials for a convincing caller, or whether the employee who spots it would report it in four minutes or four days. Published data establishes that a threat category is real and worth budget. It cannot size your exposure, and treating it as though it can repeats the same category error this article has been describing, applied now to your own risk register.
The only evidence that answers those questions is first-party, and it comes from controlled exercise: simulation across the channels attackers actually use, not email alone, with outcomes tracked per employee rather than as an aggregate score.
Click rate alone will not get you there, because it only tells you who failed. The signals that matter more are reporting rate, which tells you whether anyone raised the alarm, time to report, which decides whether your response team gets a head start or a post-mortem, and behavior under voice and hybrid pretexts, where most programs hold no data at all because they have never tested it. That is the difference between a compliance metric and a measure of what your people actually do.
Detection tooling does not fill the gap either. A detector measures what it caught, which is a different question from what your people would do, and the two answers diverge most under exactly the conditions attackers engineer for.
Shortlist of top security awareness platforms with personalized training
Personalized training is downstream of per-employee data. A platform can only adapt what an individual sees if it knows how that individual has actually behaved, which is why simulation quality and personalization quality tend to rise and fall together. These four platforms approach that link differently.
Brightside AI
Brightside is a simulation-first platform built around AI-era attack rehearsal across email, voice, and deepfake scenarios rather than around a large content library. Its vishing simulator generates calls using cloned voices built from a one to two minute recording, with configurable social engineering tactics, NIST-aligned difficulty levels, and in-browser call preview before a campaign launches. Hybrid attacks combine a live call with a trackable phishing email as a single coordinated workflow, which is the closest most platforms come to reproducing how multi-channel fraud actually runs. Personalization is driven by a per-employee tracking chain covering delivered, opened, clicked, entered, and reported, and a cooling period prevents the same domain being reused against the same employee within three months so results are not contaminated by recency.
Pros
Voice and hybrid simulation depth that few competitors match, including custom voice cloning
Per-employee outcome tracking through to reporting, not just click rate
Preview before launch and configurable tactic design
Multilingual coverage across English, French, German, Italian, Polish, Spanish, and Dutch, with more added on request
Cons
Smaller content and template library than the large suites
Deepfake video rehearsal for executives is delivered as a managed service rather than self-serve
Hoxhunt
Hoxhunt is an enterprise human risk platform built around adaptive phishing and gamified learning. Its simulations adjust difficulty per individual based on prior performance, which makes it one of the stronger options for sustained behavior change across a large population, and its threat-intelligence feed keeps pretexts current. Remediation workflows connect into SOC processes so reported messages become operational signal rather than training trivia.
Pros
Genuinely adaptive per-user difficulty
Threat-intel-informed phishing realism
Strong engagement model and SOC-connected reporting
Cons
Email-centric relative to platforms with mature voice simulation
Gamification suits some cultures better than others
KnowBe4
KnowBe4 is the largest platform in the category by content volume and market adoption, with extensive training libraries, broad language coverage, and mature campaign automation. Its personalization works largely through automated campaign targeting and risk scoring across very large user populations, which is where its scale advantage is most visible.
Pros
Very large content and template library
Mature automation and administrative tooling
Broad language coverage and wide market adoption
Cons
Content can feel generic without customization effort
Less differentiated on voice and multi-channel simulation realism
Proofpoint
Proofpoint ties awareness training to its wider threat intelligence and email security stack. Its risk modelling identifies the individuals attackers actually target, and training adapts based on that exposure data rather than on simulation results alone. For organizations already running Proofpoint email security, the integration between real threat data and training assignment is the strongest argument in this list.
Pros
Risk modelling informed by real inbound threat data
Adaptive learning paths tied to attack exposure
Strong suspicious-message reporting workflow
Cons
Most valuable to organizations already invested in the Proofpoint ecosystem
Less simulation-first than specialist platforms, particularly for voice
Try our vishing simulator
Experience the most advanced voice phishing simulator built for security teams. Create scenarios, test voice cloning, and explore automation features.
FBI AI Fraud Statistics FAQs
How much did AI-enabled fraud cost in 2025 according to the FBI?
The FBI's IC3 recorded $893,346,472 in adjusted losses across 22,364 complaints carrying its AI descriptor during calendar year 2025, published in April 2026. That represents about 4.3% of the $20.877 billion in total reported losses. It reflects complaints where AI was mentioned, not all fraud in which AI played a role.
Does the $893 million figure mean AI fraud is smaller than deepfake reports suggest?
No. The two count different things. IC3 counts US complaints where a victim referenced AI in 2025. Research like Surfshark's cumulative deepfake fraud estimate counts publicly reported incidents globally since 2019. Different scope, geography, period, and method. Neither validates nor contradicts the other, and they should never be added together.
Why does business email compromise barely appear in the FBI's AI statistics?
Because corporate victims report the loss category, not the technique. A fraudulent payment instruction gets filed as business email compromise whether or not a cloned voice confirmed it. That is why BEC shows 135 AI-flagged complaints against more than $3 billion in total BEC losses, and why IC3's AI figures understate enterprise exposure specifically.
Can I use the IC3 numbers to show AI fraud is growing year over year?
Not from IC3 alone. 2025 was the first year the FBI broke AI out as a descriptor, so there is no prior-year figure to compare against. Any AI fraud growth rate attributed to IC3 data has been constructed from something else. You can cite growth in total reported losses, which rose 26% over 2024.
How should I estimate my own organization's exposure to AI-enabled social engineering?
You cannot derive it from national statistics. Published figures justify attention and budget; they cannot size your risk. Run controlled simulations across email, voice, and hybrid pretexts, track outcomes per employee through to reporting rather than stopping at click rate, and measure time to report. That produces first-party data about your workforce, which is the only data that describes it.


